Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

AEM as a Cloud : How to add nonce values to Content Security Policy Headers?

Avatar

Community Advisor

Hi Team

 

   I am trying to add CSP headers to my pages. I know we can add it as Headers via dispatcher (which is more secure) and also using meta tags. I need to add some nonce values. So I am thinking to use meta tags. Has anyone implmented CSP with nonce values in AEM as Cloud ? Do you have any pointers on the best approach ?

 

Thanks

Veena

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

9 Replies

Avatar

Community Advisor

@VeenaVikraman: We had implemented adding CSP headers addition through servlet Filters. 

Spoiler
I am not sure if this is the best way to add CSP header/rules.

But, this gave us the option to specify the content paths using 'sling.filter.pattern' (and other options that we get with Filter),  if we wanted to apply the rules for requests under a specific path alone.

Rules were authored on a config page which was applicable per site. We used a component to author multiple CSP rules and multi values for the domain etc.
The reason we did this was to be able to specify different CSP rules per website and site authors had the control over updating the rules.

After converting all the rules to a string, 'Content-Security-Policy' header was added to SlingHttpServletResponse object.

 

@Override
public final void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
ServletException {
//We skipped all of this on author run-mode OR if a site does not have the config-page OR config component is not authored.

String cspRules = "";
//get all csp rules and append to cspRules i.e default-src 'self'; style-src 'self' 'nonce-N2M0MDhkN2EtMmRkYi00MTExLWFhM2YtNDhkNTc4NGJhMjA3';
//add csp header to the response.
response.addHeader("Content-Security-Policy", cspRules )
chain.doFilter(request, response);

}

 

Please refer this for filter example : https://github.com/Adobe-Consulting-Services/acs-aem-samples/blob/master/core/src/main/java/com/adob...

 

Avatar

Community Advisor

@Kamal_Kishor Will this affect cache ? I understand adding nonce value require each request to have a new nonce value. That means, we cannot cache the responses as each response should be new with a new random generated nonce value. How did you handle that ?

Avatar

Community Advisor

@VeenaVikraman : I misunderstood your reply the first time.
We were using 'nonce-rAnd0m' in our CSP policy, so it was not an issue in terms of caching. I don't understand how it was/will protect since this is assumed to be a random/new value on every request.

--------------------------------------------------------------
Conceptually this should not affect page caching as sling Filter acts on a request if it goes to AEM instance. If a page is cached, it never comes to the instance.
I no longer have access to the system where this was implemented to validate now.

If you get a chance, please try and let me know as well if you see a different behaviour.
thanks.

Avatar

Community Advisor

got it. @Kamal_Kishor . For various unavoidable reasons, I have temporarily opted not to implement the nonce. At present, I have taken the approach of adding 'unsafe-inline' as a temporary measure until I can find a more suitable solution due to time constraints. We have incorporated the meta tag method to implement CSP, and another measure we've taken is to enable a page using CA config, allowing some of the header values to be editable.

 

One thing I wanted to highlight here. I assume , you guys might have referred https://content-security-policy.com/nonce/ , but nonce should have value which keeps chnaging for each request. 

And regarding cache, as I doubted , nonce and cache cannot work together. Anyone can correct me if that is wrong. But I went through some stack overflow and that is what I could infer from all my research. 

 

https://serverfault.com/questions/1059740/how-to-create-a-csp-nonce-and-yet-continue-website-caching

 

https://security.stackexchange.com/questions/144212/http-content-security-policy-nonce-and-caching

 

https://security.stackexchange.com/a/270556 

 

 

Avatar

Community Advisor

Hi @VeenaVikraman 
Yes, sorry I overlooked. 

let me find something related to AEM and share with you.



Arun Patidar

Avatar

Level 1

You can leverage Dispatcher SSI and mod_unique_id Module to generate nonce every request and SSI to put the nonce in the attribute.

 

For more details, check: https://abdulmunim.com/2024/04/securing-aem-scripts-with-csp-nonces-on-dispatcher-cache/